Ensure rq_config.py permissions are restored on next upgrade

In a future 2.10.1 upgrade, the global chown over /var/www/securedrop would've blown away rq_config.py's root:www-data ownership, breaking read access for www-data. Add an exclusion, just like the existing one for config.py.
freedomofpress · Sep 18, 2024 · b46ee14 · b46ee14
1 parent 71502d5
commit b46ee14
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/securedrop/debian/securedrop-app-code.postinst b/securedrop/debian/securedrop-app-code.postinst
@@ -251,12 +251,16 @@ case "$1" in
     chown -R root:root /var/www/securedrop
     chmod 755 /var/www/securedrop
 
-    # Make sure config.py is owned by root and readable by www-data,
+    # Make sure config.py and rq_config.py are owned by root and readable by www-data,
     # but not world-readable
     if [ -f "/var/www/securedrop/config.py" ]; then
         chown root:www-data /var/www/securedrop/config.py
         chmod 640 /var/www/securedrop/config.py
     fi
+    if [ -f "/var/www/securedrop/rq_config.py" ]; then
+        chown root:www-data /var/www/securedrop/rq_config.py
+        chmod 640 /var/www/securedrop/rq_config.py
+    fi
     # And logo needs to be writable by webserver user
     # If there's no custom logo yet, copy the default in its place
     if [ ! -f "/var/www/securedrop/static/i/custom_logo.png" ]; then